Fix bug #60632: openssl_seal fails with AES

2 files changed, 29 insertions, 0 deletions

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index cc86f0440f..de5a7d4c58 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4871,6 +4871,10 @@ PHP_FUNCTION(openssl_seal)
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm.");
 			RETURN_FALSE;
 		}
+		if (EVP_CIPHER_iv_length(cipher) > 0) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Ciphers with modes requiring IV are not supported");
+			RETURN_FALSE;
+		}
 	} else {
 		cipher = EVP_rc4();
 	}
diff --git a/ext/openssl/tests/bug60632.phpt b/ext/openssl/tests/bug60632.phpt
new file mode 100644
index 0000000000..c718fed6db
--- /dev/null
+++ b/ext/openssl/tests/bug60632.phpt
@@ -0,0 +1,25 @@
+--TEST--
+Bug #60632: openssl_seal fails with AES
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip openssl not loaded");
+?>
+--FILE--
+<?php
+$pkey = openssl_pkey_new(array(
+	'digest_alg' => 'sha256',
+	'private_key_bits' => 1024,
+	'private_key_type' => OPENSSL_KEYTYPE_RSA,
+	'encrypt_key' => false
+));
+$details = openssl_pkey_get_details($pkey);
+$test_pubkey = $details['key'];
+$pubkey = openssl_pkey_get_public($test_pubkey);
+$encrypted = null;
+$ekeys = array();
+$result = openssl_seal('test phrase', $encrypted, $ekeys, array($pubkey), 'AES-256-CBC');
+echo "Done";
+?>
+--EXPECTF--
+Warning: openssl_seal(): Ciphers with modes requiring IV are not supported in %s on line %d
+Done